Microsoft Windows has been at the forefront of enterprise computing for several decades. What most office workers see is the desktop side – such as Windows 7, 8 or 10. This course explores what it takes to design and build the server side of Windows in an enterprise environment. This course will explore everything from Windows Server installation to configuring users, to hardening the server operating system itself.
This course is the second course in the System Management and Security Specialization focusing on enterprise system management. The first week of this course provides an overview of how Windows operates in an enterprise environment and what it may look like in the real world. Week 2 of the course will show you how Windows users interact with the system. At the end of Week 2, you will be able to demonstrate how Windows authentication works at the end of Week 2. Week 3 will explore authorization in a Windows environment. At the end of Week 3, you will be able to differentiate between different authorization mechanisms and use different technologies to secure data within the environment. Week 4 explores built in security features of Windows and demonstrates how to use each technology effectively and in what circumstances you would use what technology for what purpose. At the end of week 4, you will be able to determine which technology is the best technology to use to secure certain portions of the Windows operating system.

Преподаватели

Greg Williams

Lecturer

Текст видео

In this lesson, I will talk about Windows rights and permissions. Let's talk about a scenario first. Your friend comes over and they knock on the door. You look through the people and see that it's your best friend. I authenticate them because the picture in my mind matches the picture on the outside of that people, matches the person. So I allowed them in. I am authorizing them to come in. They asked if they can go to the refrigerator and grab a coke which I say "yes". And they go to the refrigerator grab a Coke. Then they come to me and say" hey! Do you mind if I borrow your TV for a little bit?". And I say, " no". Or you say "no". Well that whole process has rights and permissions associated with it just like Windows does. Each object, for example, the coke or the TV can have different rights and permissions on those objects just in the same way that we have objects like files and folders inside of Windows. So let's log in to my computer for a minute. Now, I authenticated into my computer the passwords matched and exit out a server manager. I'm gonna go to those two folders that we created called secured documents. And poorly secured documents. By right clicking press properties, I'm looking at the Access Control list where the access control entry for this object of secured documents. Now, how does... how does one actually be allowed to get information. Now, when I authenticated into the system I was able to get an access token. The access token consists of the security ID of the user, the use'rs groups Security ID and the rights that the per... that the user has permission to, on the specific machine. So each resource or each object such as the secured documents folder has an ACL on it and access control entries into it. So right here, there's my Access Control List. And here is my entry. The logged on user may or may not have access to this folder. I may not have access to read or execute or list the folder contents. So in this case the Stooges have access to this folder. Let's say I deleted that information and you can always find the security idea if you want to dig through some of the registry settings but it's really not important. When permissions are granted and when they are taken away that security access token then the permissions associated with it change. So in order to access certain things, when I'm granted access in an enterprise domain I have to log out and ask for that access token again. So then I need to... so I would cancel out here. I would sign out and sign back in to get another access token to go back here to my secured documents folder. So, my access control entry, allows me to choose any number of allow or deny functions. Deny is always more powerful than allow. So, if I'm part of the Stooges group, for example, and I deny myself from reading or executing, that is gonna override, my allow function within the Stooges group. So be careful on that, when you're denying user's access to certain things. Whenever we access an object such as a file or a folder the security reference monitor or SRM looks at the access token provided and compares that to the ACL on the object. And then the request is either granted or denied, depending on how you have your domain set up. You can also audit all this information just by going into some of the settings for the domain and choosing whether or not we wanna audit this process. Auditing means logging. Do we wanna log whether a user access it. Or do we wanna log if a user denied it, or maybe both. We also have a concept in Windows called rights. Rights are a little bit different than permissions in that they are standard ways of logging in to something or doing something based on a series of actions. For example, allowing a user to log on through Terminal Services. This is a right that users can have or log on as a service. We can deny or allow users to do this. Now why we would want to use rights in this case is if we have service accounts or if we have accounts that we don't want accessing certain systems. So we would deny the right to log on to certain systems depending on what information we wanted to have the user access. So in conclusion looking at rights and permissions is something that a domain administrator or a system administrator is going to perform constantly. When the administrator is also looking at those permissions we need to make sure that allow and deny functions are set appropriately.